CVE-2024-42356: Shopware Context Variable Injection Vulnerability in Twig Templates

Shopware is a popular open commerce platform that provides businesses and developers with a robust and feature-rich environment to create customized e-commerce solutions. However, prior to versions 6.6.5.1 and 6.5.8.13, the platform was susceptible to a vulnerability involving the context variable that is injected into almost all Twig Templates. This variable not only exposed sensitive data like language and currency information but also enabled attackers to call any statically callable PHP function or method from Twig.

Affected Versions

Shopware versions prior to 6.6.5.1 and 6.5.8.13. The vulnerability also impacts older versions 6.1, 6.2, 6.3, and 6.4 but can be mitigated using a security plugin.

Exploit Details

The vulnerability exists because the context variable is injected into almost any Twig Template, giving access to current language and currency information. Furthermore, the context object allows switching the scope for a short time using a helper with a callable function. Since the second parameter of the function accepts any callable, it becomes possible to call any statically callable PHP function or method from Twig.

Please note that an attacker needs administrative access to exploit this vulnerability using Mail templates or App Scripts, as regular customers cannot provide any Twig code.

Here's a sample illustrating the vulnerability

{# In a Twig Template #}
{% set contextSwitcher = context.createLanguageSwitcher %}
{% set result = contextSwitcher.call('Some\Class::staticMethod', arg1, arg2) %}

In this example, the context variable is used to create a language switcher and then call a static method from a given class.

Original References

1. Shopware Security Update
2. Shopware Context Variable Vulnerability

Mitigation

To address this vulnerability, it is recommended that affected users update to Shopware 6.6.5.1 or 6.5.8.13 for the appropriate patch. For older versions (6.1, 6.2, 6.3, and 6.4), users can install a dedicated security plugin that provides corresponding security measures.

Conclusion

Shopware is a powerful platform for e-commerce solutions, but this vulnerability demonstrates the importance of updating to the latest version and ensuring proper security measures are in place. By updating to Shopware 6.6.5.1 or 6.5.8.13, or installing the security plugin for older versions, users can protect their systems from potential exploitation by attackers with administrative access.

Timeline

Published on: 08/08/2024 15:15:18 UTC
Last modified on: 08/12/2024 15:34:08 UTC